[eluser]aamche[/eluser]
Forgive me if this has been covered. I did do some searching to see if it have been covered on the forums and google.
Currently permitted_uri_chars allows any url encoded characters to passed straight through to most functions using uri_string();
Code:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
Example of the attack
Code:
https://www.mysite.co.nz/controller/view/%68%6d%6d%22%3e%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%6a%61%76%61%73%63%72%69%70%74%3a%61%6c%65%72%74%28%27%58%53%53%27%29%3b%22%3e
Given the encoding translation it can be tricky to reproduce. But the above attack will parse an iframe on to any page which calls uri_string() or current_url(), e.g.
Code:
<a href="<?php echo uri_string();?>link</a>
Currently I'm looking at removing url encoded characters (%) from the uri. Get vars seem to be unaffected by permitted_uri_chars filter.
This is not a database exploit, but a content insertion exploit.
Thoughts and comments welcome.
